Wikipedia:WikiProject on open proxies/Requests/Archives/37
This is an archive of past discussions about Wikipedia:WikiProject on open proxies. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current main page. |
12.89.35.14 and others
{{proxycheckstatus}}
- 12.89.35.14 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 145.15.244.25 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits, is flagged as proxy by IPQualityScore via wmflabs ipcheck Bri.public (talk) 22:14, 10 October 2019 (UTC)
- Add 145.15.244.25. Same type of editing. It is indicated by wmflabs ipcheck as proxy & recent abuse. ☆ Bri (talk) 19:18, 11 October 2019 (UTC)
- There are more Miss World/Miss Earth edits from this range last year. If action is taken on this, I'd ask that this be taken into consideration. [1][2][3] - Bri.public (talk) 20:54, 11 October 2019 (UTC)
- @Bri: The first IP is linked to Fortinet, but does not seem to be an open proxy. The second IP is linked to Nederlandse Spoorwegen (Dutch national railway company) and is presumably a public Wifi network. Pinging Zzuuzz to confirm. --MrClog (talk) 21:37, 13 March 2020 (UTC)
- I concur about the first one. The 145.15.244.25/22 network is an interesting one, with suspicious characteristics. The 145.15.244.0/24 range was blocked both recently and 2 years ago as WP:BKFIP, but I can't find evidence that it's an open proxy (other than being used in the context of Dutch trains). I'm going to say Unlikely IP is an open proxy. -- zzuuzz (talk) 18:03, 15 March 2020 (UTC)
- @Bri: The first IP is linked to Fortinet, but does not seem to be an open proxy. The second IP is linked to Nederlandse Spoorwegen (Dutch national railway company) and is presumably a public Wifi network. Pinging Zzuuzz to confirm. --MrClog (talk) 21:37, 13 March 2020 (UTC)
- There are more Miss World/Miss Earth edits from this range last year. If action is taken on this, I'd ask that this be taken into consideration. [1][2][3] - Bri.public (talk) 20:54, 11 October 2019 (UTC)
2a01:4f8:120:3247::2
{{proxycheckstatus}}
- 2a01:4f8:120:3247::2 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
Reason: Requested unblock. Ivanvector (talk · contribs) blocked the 2A01:4F8:0:0:0:0:0:0/32 range but I can't find a history of abuses from this range. Also, what about using smaller ranges for blocking, like blocking some /48 instead of blocking a full /32? Carmelobrianza (talk) 10:28, 25 October 2019 (UTC)
- The range is Hetzner, a German VPN/webhost/colocation provider. Per the checkuser logs this webhost has been used abusively by at least eight different long-term vandals, some of whom are extremely disruptive. I object to unblocking the range; it's impossible at this time to determine if a smaller subset of the range would make an effective block (WHOIS has /29 for the ISP). Please advise the user to disable their VPN or request an account. Ivanvector (Talk/Edits) 14:05, 25 October 2019 (UTC)
121.118.78.132
{{proxycheckstatus}}
- 121.118.78.132 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits which can be checked against the Daryl Morey contributions by this now blocked proxy user. Lots of strong signs that they are the same person/people, which includesexactly the same way they write and sources they use. Flaughtin (talk) 18:37, 28 October 2019 (UTC)
- Likely IP is an open proxy: openvpn. It's probably a bit too stale to block at this point. -- zzuuzz (talk) 16:15, 15 November 2019 (UTC)
146.88.177.146
{{proxycheckstatus}}
- 146.88.177.146 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits, high IPQualityScore fraud score and appears to be a data center called DataBank, according to whois. ☆ Bri (talk) 03:04, 1 November 2019 (UTC)
- 146.88.176.0/20 range blocked as a colocation webhost. NinjaRobotPirate (talk) 08:56, 3 November 2019 (UTC)
103.67.157.240
{{proxycheckstatus}}
- 103.67.157.240 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: ACC check. High IPQuality fraud score, as shown at [4] OhKayeSierra (talk) 07:18, 1 November 2019 (UTC)
- It's a mobile phone network. Abuseat lists it as currently infected (6 detections in the last 24 hours), which may point to it being a zombie proxy. However, it hasn't edited so no block is needed at the time imo. I'm going to assume that this check is too late to be useful for ACC. @Zzuuzz: what do you think? --MrClog (talk) 09:40, 27 March 2020 (UTC)
- I concur with that analysis. Although it's likely there are some infected devices using the IP, these are not necessarily proxies, so the probability of being a legitimate user is undefined. In fact most edits from the /24 network do appear legitimate. -- zzuuzz (talk) 21:04, 19 April 2020 (UTC)
188.72.102.7
{{proxycheckstatus}}
- 188.72.102.7 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: WHOIS reports this is PureVPN Bri.public (talk) 19:15, 6 November 2019 (UTC)
- 188.72.102.0/24 range blocked as a webhost. NinjaRobotPirate (talk) 04:52, 7 November 2019 (UTC)
154.160.xxx.yyy
{{proxycheckstatus}}
- 154.160.11.77 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 154.160.26.23 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 154.160.30.55 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits; reported as proxy by proxycheck.io via wmflabs' ipcheck ☆ Bri (talk) 02:45, 11 November 2019 (UTC)
- It was pointed out at COIN that ST47 blocked 154.160.26.23 based on long term abuse. The LTA [5] is not based in the ISP's geographic area, and routinely uses a proxy. ☆ Bri (talk) 15:34, 15 November 2019 (UTC)
- I can tell you from experience (as well as looking at this) that among other things this network contains certified dynamic open proxies, several banned users, and CU-confirmed COI farms. There is however a lot of collateral when we block it. It is otherwise a normal network (and quite an important one). -- zzuuzz (talk) 16:04, 15 November 2019 (UTC)
185.83.71.18
{{proxycheckstatus}}
- 185.83.71.18 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Used for sockpuppetry by Shingling334, reported as proxy by WhatIsMyIPAddress and IPQualityScore. IamNotU (talk) 17:57, 11 November 2019 (UTC)
- Open proxy: 24 Shells hosting. Blocked by Favonian. -- zzuuzz (talk) 16:10, 15 November 2019 (UTC)
113.150.100.49
{{proxycheckstatus}}
- 113.150.100.49 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious AfD nominations on high-profile pages. IPQualityScore gives an 89% chance of it operating as an open proxy, and it is blocked on ru.wiki and nl.wiki as an open proxy: [6]. 2601:1C0:4401:24A0:3C4C:2790:EFBB:586D (talk) 06:31, 12 November 2019 (UTC)
- Open proxy: openvpn. It's probably expired by now, but I blocked it for a month anyway. -- zzuuzz (talk) 15:37, 15 November 2019 (UTC)
64.2.184.130
{{proxycheckstatus}}
- 64.2.184.130 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits. User at this IP address made a few edits today at Occupation of the Malheur National Wildlife Refuge that appear to be nothing more than vandalism, and those have been the only edits from this IP address in the last week. But looking at the contributions from this IP address shows a long history of vandalism. A few examples of many: [7] [8] [9] [10] [11] [12] Please investigate. Thanks in advance! Yompi20 (talk) 21:00, 25 November 2019 (UTC)
- It has been blocked as a school. --MrClog (talk) 13:49, 14 March 2020 (UTC)
36.71.234.89
{{proxycheckstatus}}
- 36.71.234.89 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
This IP is making the same suspicious political POV edits (placing a map) on several wiki pages (including on foreign Wikipedia's as well). I checked it on several sites. All of them give that it is indeed a proxy. Reason: Suspicious edits Casperti (talk) 15:20, 6 December 2019 (UTC)
- Does not seem to be an open proxy. --MrClog (talk) 13:45, 14 March 2020 (UTC)
- Yup, it doesn't have a good reputation but also doesn't appear to be open at this time. -- zzuuzz (talk) 21:29, 19 April 2020 (UTC)
62.254.132.162
{{proxycheckstatus}}
- 62.254.132.162 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Listed as proxy/blacklisted. Mainly vandalism. Seems to be Shingling334 using it today. IamNotU (talk) 20:07, 16 December 2019 (UTC)
- IP is registered to Virgin Media Business. Doesn't seem to be an open proxy. However, the IP was CBL listed as infected with a virus/malware on March 10, but not anymore. May have been a zombie proxy. --MrClog (talk) 09:33, 27 March 2020 (UTC)
- Yup it's a bit inconclusive but I can't find anything open at this time. This fits one of Shingling334's known locations, which would be a remarkable coincidence for an open proxy. -- zzuuzz (talk) 12:41, 23 April 2020 (UTC)
116.84.110.175
{{proxycheckstatus}}
- 116.84.110.175 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
I'm pretty sure this is a proxy. I don't have the tools to know if it's an open proxy. I'm almost certain that the user is sock puppet. - MrX 🖋 14:03, 20 December 2019 (UTC)
- Based on my search, this IP is linked to Incheon International Airport, possibly a public Wifi there. Doesn't seem to be an open proxy. --MrClog (talk) 14:49, 13 March 2020 (UTC)
- Concur, it doesn't seem open now if it ever was. Maybe a layover? -- zzuuzz (talk) 10:32, 25 April 2020 (UTC)
8.8.8.8
{{proxycheckstatus}}
- 8.8.8.8 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 8.8.4.4 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: These IPs are Google Public DNS servers. Similar DNS servers such as 1.1.1.1 and 1.0.0.1 provided by Cloudflare through its service are also blocked (and globally locked). If applicable, the person doing the proxy check should do a range block. —BeyWHEELZ • T • C 16:27, 11 February 2020 (UTC)
- Declined to run a check They are blocked for colocation purposes, not because they are proxies. DNS != proxy. -- Amanda (aka DQ) 03:19, 15 February 2020 (UTC)
8.36.116.204/24
{{proxycheckstatus}}
- 8.36.116.204 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: The 8.36.116.0/24 IP range is registered to collocation webhost. The 8.36.116.204 IP has been used to make edits to Richard Grenell (edit | talk | history | links | watch | logs) that are similar to those made by sock puppets of Mmoates (talk · contribs). See SPI casepage. — BillHPike (talk, contribs) 18:52, 25 February 2020 (UTC)
- 8.36.116.0/24 is indeed registered to a colo. Doesn't seem to be an open proxy. --MrClog (talk) 09:25, 27 March 2020 (UTC)
- This is a debatable IP. It appears to belong to Netskope, which is an enterprise ("security solution") filtering proxy. Could it have been used by this user? Sure. However, I'm not seeing enough to block at this time, and I would recommend any future blocks be anon-only. -- zzuuzz (talk) 10:13, 25 April 2020 (UTC)
196.201.201.236
{{proxycheckstatus}}
- 196.201.201.236 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits (see WP:COIN), blacklisted at barracudacentral.org - Bri.public (talk) 19:04, 25 February 2020 (UTC)
- I couldn't find any evidence that this is an open proxy. Pinging Zzuuzz to confirm. --MrClog (talk) 14:30, 13 March 2020 (UTC)
- I'd agree with that. There is some evidence a trojan-infected computer might have been on the IP at some point, which might explain the blacklisting, but that appears to have been many years ago and we can't really draw any conclusions from that. The edit by this IP was also some time ago. If the article is to be believed, the geolocation is probably not too outrageous either. At least at this point in time, I don't see us doing anything about it. -- zzuuzz (talk) 15:36, 13 March 2020 (UTC)
212.214.4.200
{{proxycheckstatus}}
- 212.214.4.200 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Corporate mail server. IPQualityScore reports it as a proxy. IamNotU (talk) 01:20, 17 April 2020 (UTC)
- @IamNotU: IP is connected to a Stockholm office space. Can't find evidence it's an open proxy. --MrClog (talk) 07:58, 17 April 2020 (UTC)
- Concur. It's seems likely that it's related to the shared office space. -- zzuuzz (talk) 10:43, 25 April 2020 (UTC)
37.190.128.0/17
{{proxycheckstatus}}
- 37.190.151.98 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 37.190.149.217 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 37.190.150.185 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits by IPs noted above as if they are maintaining the Pier 1 Imports article financial data. Other weird edits from the Polish ISP range too, including possible promo on a Las Vegas concert residency [13]. ☆ Bri (talk) 23:17, 10 November 2019 (UTC)
- Declined to run a check stale. Recent activity on the /17 range, although not perfect, gives no reason to think there is a proxy on the range. FWIW, ipcheck confirmed this on the recently-editing ips. All in all, not worth performing a full check. --Mdaniels5757 (talk) 18:19, 30 April 2020 (UTC)
216.9.29.149
{{proxycheckstatus}}
- 216.9.29.149 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: toolforge ipcheck reports Fraud Score: 75, proxy=true & vandalism-only edits ☆ Bri (talk) 20:56, 27 April 2020 (UTC)
- @Bri: It was very likely an open proxy (on port
976
), and I suspect it may have been a zombie proxy. However, it does not seem to be an open proxy at this moment. --MrClog (talk) 21:12, 27 April 2020 (UTC)- Agreed. The edits are geo-appropriate. It looks there might be some schools on the range. -- zzuuzz (talk) 19:00, 1 May 2020 (UTC)
84.64.235.254
{{proxycheckstatus}}
- 84.64.235.254 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Requested unblock. It definitely should not be an indef block (this has been an LTA, and in quickly blocking, forgot to change the duration setting), but the vandal has been IP hopping using proxies, so if someone could investigate whether this is still an open proxy and revise the duration based on that information, I would appreciate it. — Wug·a·po·des 18:45, 4 May 2020 (UTC)
- @Wugapodes: It's a dynamic IP address owned by Vodafone UK (geolocates to Leeds). It's unlikely that this is an open proxy. --MrClog (talk) 19:04, 4 May 2020 (UTC)
- Based on the vandal this is actually quite suspicious. However I doubt we'll ever have confirmation. It is a dynamic broadband range, but with fairly extended allocations. I'd place the upper limit at around 2 months. I'll probably not change the block duration myself, but that is where it probably could be. -- zzuuzz (talk) 20:50, 4 May 2020 (UTC)
- I also found it suspicious. I've been routinely blocking these for ~31 hours and adjusted the block so it totals that length, but I'll keep the 2 month limit in mind. I'm never really sure about IP block lengths and tend to keep them under a week. — Wug·a·po·des 00:20, 5 May 2020 (UTC)
- Based on the vandal this is actually quite suspicious. However I doubt we'll ever have confirmation. It is a dynamic broadband range, but with fairly extended allocations. I'd place the upper limit at around 2 months. I'll probably not change the block duration myself, but that is where it probably could be. -- zzuuzz (talk) 20:50, 4 May 2020 (UTC)
45.83.40.14
{{proxycheckstatus}}
- 45.83.40.14 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Looks like a colo/webhost according to WHOIS data. IP vandalized USS Oberrender, along with other dynamic IPs. -- LuK3 (Talk) 02:58, 9 May 2020 (UTC)
- Checking... Mdaniels5757 (talk) 03:00, 9 May 2020 (UTC)
- @LuK3: Not a proxy. However, it definitely is a webhost (running Linux with an open SSH port), so I would have recommended a {{Colocationwebhost}} for 6 months or so had JJMC89 not just blocked them for 31hr. @JJMC89: thoughts? (FYI: the relevant range assigned to the webhost is 45.83.40.0/24) --Mdaniels5757 (talk) 03:16, 9 May 2020 (UTC)
- Range blocked for 6 months — JJMC89 (T·C) 03:20, 9 May 2020 (UTC)
- Thanks! Closing this (I think I'm allowed to do this because I'm just closing based on someone else's block, but if I need adult supervision, let me know :) ). Mdaniels5757 (talk) 03:23, 9 May 2020 (UTC)
- Range blocked for 6 months — JJMC89 (T·C) 03:20, 9 May 2020 (UTC)
185.26.97.138 (185.26.96.0/22)
{{proxycheckstatus}}
- 185.26.97.138 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: IP range 185.26.96.0/22 is running on a webhosting server, most recent used IP is 185.26.97.138. 2601:1C0:5:33D:944C:23E3:7841:2487 (talk) 04:02, 14 May 2020 (UTC)
- Likely IP is an open proxy Fornex offers VPN services. This is is probably a VPN. Pinging zzuuzz. --MrClog (talk) 07:37, 14 May 2020 (UTC)
- Although I'm not sure the whole /22 is a VPN (range is owned by a colo, but not by Fornex), so I would suggest blocking the /24, which is owned by Fornex. --MrClog (talk) 07:41, 14 May 2020 (UTC)
- You're about right, though I've blocked the /22. -- zzuuzz (talk) 14:41, 14 May 2020 (UTC)
- Although I'm not sure the whole /22 is a VPN (range is owned by a colo, but not by Fornex), so I would suggest blocking the /24, which is owned by Fornex. --MrClog (talk) 07:41, 14 May 2020 (UTC)
195.123.221.168
{{proxycheckstatus}}
- 195.123.221.168 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Appears to be the same user as above (185.26.97.138) using a mobile phone VPN. IamNotU (talk) 13:57, 14 May 2020 (UTC)
- IP is an open proxy 195.123.216.0/21 (talk · contribs · WHOIS) is registered to Seed4.me. --MrClog (talk) 14:01, 14 May 2020 (UTC)
- Yup, block time. courtesy ping -- zzuuzz (talk) 14:11, 14 May 2020 (UTC)
- I've blocked the /21. -- zzuuzz (talk) 14:42, 14 May 2020 (UTC)
- Yup, block time. courtesy ping -- zzuuzz (talk) 14:11, 14 May 2020 (UTC)
69.138.18.168
{{proxycheckstatus}}
- 69.138.18.168 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
On the Julio Anguita article, the address has done constant vandalism/linkspam. In one edit summary from this user, the user claimed that they were using Ipsharkk proxy service. The MetaWiki proxy checker reports that this IP address is probably a proxy address. Reason: Vandalism/linkspam Randompointofview (talk) 18:26, 18 May 2020 (UTC)
- Interesting. The IP is linked to the current TFA vandal so the short-term block will be fine for now. --MrClog (talk) 19:26, 18 May 2020 (UTC)
80.246.28.39
{{proxycheckstatus}}
- 80.246.28.39 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: IP has been vandalizing a few different articles for a few months. Proxy Checker indicating strong possibility of either open proxy or webhost. -- LuK3 (Talk) 18:04, 20 May 2020 (UTC)
- NordVPN. /24 also blocked. -- zzuuzz (talk) 18:22, 20 May 2020 (UTC)
163.47.126.0/24
{{proxycheckstatus}}
Reason: Belongs to "Dedicated Servers Australia". Recently used by 163.47.126.243 (talk · contribs · WHOIS) for block evasion. 2601:1C0:8:F85D:31D2:E3DA:AA36:8D6F (talk) 19:21, 22 May 2020 (UTC)
- 163.47.126.0/24 is "Virtual Datacentre; Cloud Hosting Services" per WHOIS. Reporter says one IP was used for block evasion (although it's not obvious to me). I'd block the range. --Mdaniels5757 (talk) 21:05, 23 May 2020 (UTC)
- 163.47.126.243 is Hola VPN. I've also blocked the /24. -- zzuuzz (talk) 19:32, 24 May 2020 (UTC)
80.211.250.154
{{proxycheckstatus}}
- 80.211.250.154 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: This is one of many IPs used by WhenDatHotlineBling to create abusive accounts. The Proxy API checker offers a mixed result. There isn't much activity on 80.211.248.0/21. Drmies (talk) 21:02, 6 June 2020 (UTC)
- @Drmies: WHOIS data alone gives me a decent clue: "Aruba S.p.A. - Cloud Services PL1". Visiting http://80.211.250.154 gets me a "HTTP Test Page powered by CWP CentOS-WebPanel.com". Although I couldn't connect to it as a proxy, the person paying for the web hosting service could. Given all that, a {{Colocationwebhost}} block for a couple years seems appropriate. Per WHOIS, the relevant range would be 80.211.248.0/21. I would treat this as Confirmed. --Mdaniels5757 (talk) 21:38, 6 June 2020 (UTC)
- The IP is proksiak.pl. Coincidentally, 80.211.249.154 is war01.bulletvpn.com. I've blocked the /21. -- zzuuzz (talk) 21:51, 6 June 2020 (UTC)
115.178.251.127
{{proxycheckstatus}}
- 115.178.251.127 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
This IP address is connected to an ACC request and currently affected by 115.178.224.0/19 rangeblock. I am not sure about the whole range however this very IP seems to belong to a legit Indonesian ISP and I see no reason to assume that it is an open proxy right now. Please check it out. -- Kostas20142 (talk) 01:18, 18 March 2020 (UTC)
- @Kostas20142: I couldn't find evidence that it is currently an open proxy. Pinging ST47 (ping!) to confirm, as (s)he blocked the account. MrClog (talk) 09:46, 18 March 2020 (UTC)
- @ST47: Please see above. Cheers, --Mdaniels5757 (talk) 00:45, 31 May 2020 (UTC)
- Block expired. Marking for closure. --Mdaniels5757 (talk) 14:35, 29 July 2020 (UTC)
- @ST47: Please see above. Cheers, --Mdaniels5757 (talk) 00:45, 31 May 2020 (UTC)
82.181.32.177 and like-minded IPs
{{proxycheckstatus}}
- 122.2.120.62 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 219.79.32.213 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 82.181.32.177 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits; see WPSPAM. Seems unlikely that three IPs across Pacific Rim then suddenly Finland want to insert the same spamlink. ☆ Bri (talk) 21:53, 13 May 2020 (UTC)
- I don't see any technical evidence that there is an open proxy on those IPs. That said, behavioral evidence for being sock- or meat-puppetry is good enough for a short block IMO. Otherwise, just more WP:SPAM. Mdaniels5757 (talk) 03:16, 14 May 2020 (UTC)
- Forgot ping: @Bri: Mdaniels5757 (talk) 03:17, 14 May 2020 (UTC)
192.196.160.0/19
{{proxycheckstatus}}
Reason: IP range belongs to "Telx Hosting", also known as "Digital Realty", which also provides webhosting services. IPs 192.196.160.0 to 192.196.191.255 all register under this webhosting service (which equates to the given /19 range). 2601:1C0:8:F85D:31D2:E3DA:AA36:8D6F (talk) 18:42, 22 May 2020 (UTC)
- Since I commented on disruption for another report that I filed below, I'll do the same here. Some problems include improperly cited material (although they could just be misguided), pure vandalism, more vandalism, WP:OVERLINK and WP:NOTBROKEN issues. 2601:1C0:3:70F0:90C0:28F3:3EEB:842B (talk) 19:05, 24 May 2020 (UTC)
- Given the number of apparently good edits from this range, I'm inclined to not recommend a proxyblock. Instead, short, targeted blocks of disruption are probably the better way. Marking for closure. --Mdaniels5757 (talk) 03:45, 30 May 2020 (UTC)
193.138.216.0/22
{{proxycheckstatus}}
Reason: Range belongs to a hosting service. 2601:1C0:8:F85D:7C3E:D79B:A43C:B27B (talk) 19:52, 22 May 2020 (UTC)
- It does, but I see no obvious disruption coming from the range recently, so a block may not be warranted. --Mdaniels5757 (talk) 21:09, 23 May 2020 (UTC)
- I was under the impression that editing via open proxies or webhosting servers is not permitted, even if users are not creating obvious disruption (and they are also blocked in order to prevent disruption). However, I will note some disruption that I see here. unsourced BLP, template disruption; there also seems to be a steady pattern of tenacious editing. I'll also note that this IP range was previously blocked as a webhosting server back in 2016. 2601:1C0:3:70F0:90C0:28F3:3EEB:842B (talk) 18:56, 24 May 2020 (UTC)
- The 'not permitted' policy was thrown out in 2007, however they may be blocked to prevent disruption. We need to balance potential disruption with collateral, as well as clogging up this noticeboard and volunteer time with unnecessary requests for investigations and blocks. Therefore strong examples of disruption are welcome when reporting here. -- zzuuzz (talk) 19:30, 24 May 2020 (UTC)
- Understood, and thank you for clarifying. I'll just leave this here to note, but 193.138.218.206 (talk · contribs · WHOIS) was just blocked for obvious disruption within that IP range. 2601:1C0:4:65EC:D917:995F:CF98:49E5 (talk) 04:14, 25 May 2020 (UTC)
- Given the number of apparently good edits from this range, I'm inclined to not recommend a proxyblock. Instead, short, targeted blocks of disruption are probably the better way. Marking for closure. --Mdaniels5757 (talk) 03:43, 30 May 2020 (UTC)
- Understood, and thank you for clarifying. I'll just leave this here to note, but 193.138.218.206 (talk · contribs · WHOIS) was just blocked for obvious disruption within that IP range. 2601:1C0:4:65EC:D917:995F:CF98:49E5 (talk) 04:14, 25 May 2020 (UTC)
- The 'not permitted' policy was thrown out in 2007, however they may be blocked to prevent disruption. We need to balance potential disruption with collateral, as well as clogging up this noticeboard and volunteer time with unnecessary requests for investigations and blocks. Therefore strong examples of disruption are welcome when reporting here. -- zzuuzz (talk) 19:30, 24 May 2020 (UTC)
- I was under the impression that editing via open proxies or webhosting servers is not permitted, even if users are not creating obvious disruption (and they are also blocked in order to prevent disruption). However, I will note some disruption that I see here. unsourced BLP, template disruption; there also seems to be a steady pattern of tenacious editing. I'll also note that this IP range was previously blocked as a webhosting server back in 2016. 2601:1C0:3:70F0:90C0:28F3:3EEB:842B (talk) 18:56, 24 May 2020 (UTC)
193.176.211.0/24
{{proxycheckstatus}}
Reason: Recent disruption from 193.176.211.29 (talk · contribs · WHOIS). Appears to be a VPN of some sort. 2601:1C0:E:65ED:B5AB:B05C:4126:8AA7 (talk) 17:24, 25 May 2020 (UTC)
- Likely IP is an open proxy. This is a bit of a mess. I was not able to connect to the proxy directly, so this is relying on other evidence. The /24 is assigned to a CDN (Maxozo/PANQ). Its BGP data show that it is also assigned to a "Security Firewall Ltd" AS. Security Firewall Ltd sounds like the kind of company that could host a proxy/vpn. Confirming this, Security Firewall Ltd is owned by Digital Energy Technologies Ltd, which is a webhost.
- All in all,
{{Colocationwebhost}}
block recommended. --Mdaniels5757 (talk) 04:08, 30 May 2020 (UTC)- Done July 20, marking for closure. --Mdaniels5757 (talk) 14:33, 29 July 2020 (UTC)
68.7.230.251
{{proxycheckstatus}}
- :68.7.230.251 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- :68.43.81.73 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- :68.104.150.3 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious on Catalent. IPcheck/IPQualityScore indicates 68.7.230.251 is proxy & bot, Fraud Score: 100. 68.104.150.3 operates a proxy now according to proxy checker. ☆ Bri (talk) 05:17, 29 May 2020 (UTC)
- If this checks, there are more IPs listed at WP:Conflict of interest/Noticeboard#Catalent that you might want to have a look at. ☆ Bri (talk) 15:17, 29 May 2020 (UTC)
- Checking... Mdaniels5757 (talk) 15:22, 29 May 2020 (UTC)
- Unlikely IP is an open proxy for all 3. --Mdaniels5757 (talk) 15:28, 29 May 2020 (UTC)
103.253.74.4
{{proxycheckstatus}}
- 103.253.74.4 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Strong indication of being an open proxy per ProxyChecker. IP has also vandalized multiple user talk pages, see edit filter. -- LuK3 (Talk) 00:19, 11 June 2020 (UTC)
- Declined to run a check: Already blocked as a proxy for harassment. --Mdaniels5757 (talk) 02:13, 11 June 2020 (UTC)
124.105.197.141
{{proxycheckstatus}}
- 124.105.197.141 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits because it's had blocked before. It's had blocked two times by bot. ~ Junior5a (Talk) Cont 03:30, 14 June 2020 (UTC)
- IP is an open proxy {{zombie proxy}} (likely MikroTek router vulnerability). Admin assistance requested: Please block User:124.105.197.141 as a {{zombie proxy}}. Given the previous 2 proxy blocks (4 months total), I'd go for 6 months to 1 year, but who cares what I think? User:GeneralNotability (dang, that'll take getting used to) is responsible for their current 1 week block. --Mdaniels5757 (talk) 01:21, 17 June 2020 (UTC)
- Mdaniels5757, braaaiiinnssss...er, I mean Done. Blocked for one year since clearly the proxy issues haven't been resolved. GeneralNotability (talk) 01:35, 17 June 2020 (UTC)
221.158.120.48
{{proxycheckstatus}}
- 221.158.120.48 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Vandalism and trolling from a prolific banned editor. 2601:1C0:B:4885:9484:FB9E:1E5C:6851 (talk) 16:50, 18 June 2020 (UTC)
- NMAP says no ports are open. That being said it's a static ip.108.21.73.223 (talk) 06:01, 21 June 2020 (UTC)
- Ping doesn't work, probably not an open proxy Unlikely. — Preceding unsigned comment added by Feresia (talk • contribs) 18:26, 21 June 2020 (UTC)
51.195.21.187
{{proxycheckstatus}}
- 51.195.21.187 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
This whole range appears to be dedicated to OVH webhosting.
Reason: Spam edits. Conifer (talk) 18:04, 24 June 2020 (UTC)
- The /24 is Confirmed to be a {{colocationwebhost}} via WHOIS/BGP data. (Technically the /16 is, but the /24 is where the abuse is coming from, so I'd consider just blocking that).
Admin assistance requested: Please consider a {{colocationwebhost}} block for a) 51.195.21.187 (the offending IP), b) 51.195.21.0/24 (a smaller OVH range it belongs to), c) 51.195.0.0/16 (all OVH, but a big range, so I'd worry about possible collateral if it's a hard block), or d) something in between. Cheers, --Mdaniels5757 (talk) 20:42, 24 June 2020 (UTC) - Done blocked the /24 for 6 months. GeneralNotability (talk) 01:18, 28 June 2020 (UTC)
65.242.53.98
{{proxycheckstatus}}
- 65.242.53.98 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspected block evasion by Hoaeter (talk · contribs) and/or affiliated accounts, which had previously used a proxy IP (see WP:SPI/Hoaeter); already blocked for 31 hours. Toolforge results indicate more than one proxy finding, but I'm unsure that tool is being maintained (i.e. accurate). Gyrofrog (talk) 23:46, 27 June 2020 (UTC)
- Not currently an open proxy Mdaniels5757 (talk) 17:45, 30 June 2020 (UTC)
111.119.187.58 and 103.255.5.27
{{proxycheckstatus}}
- 111.119.187.58 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 103.255.5.27 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits to same Pakistan landmark
- 111.119: ipqualityscore.com reports proxy, whatismyipaddress.com reports proxy
- 103.255: ipqualityscore reports proxy, ipcheck reports compromised server, whatismyipaddress.com gives recently reported forum spam source
☆ Bri (talk) 23:47, 30 June 2020 (UTC)
- Checking... --Mdaniels5757 (talk) 17:34, 1 July 2020 (UTC)
- @Bri: Possilikely (a mix between possible and likely) an zombie proxy, but more likely a user with a dynamic IP (same ISP, same geolocation). Article protected. No further action needed. --Mdaniels5757 (talk) 19:25, 1 July 2020 (UTC)
"Host seems down. If it is really up, but blocking our ping probes, try -Pn" 108.54.126.79 (talk) 23:19, 2 July 2020 (UTC)
103.60.175.51
{{proxycheckstatus}}
- 103.60.175.51 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
I have blocked this IP for two weeks per a complaint at ANI. This may be the same person as Special:Contributions/103.60.175.78. See the complaint at ANI. User:Peaceray made the complaint, stating "making hundreds of edits (semi-automated?) making color changes to tables in articles & templates, & leaving no edit summaries. This has made edits that appear to be identical to 103.60.175.78 (talk · contribs · deleted contribs · filter log · WHOIS · RDNS · RBLs · http · block user · block log), who recently has been blocked for two years (by User:ToBeFree). I am in the process of rolling back the disruptive edits." I notice that this *.51 IP made about 400 edits on 2 July and only a handful before that. WHOIS says this IP is part of a /24 range operated by Mazeda Networks in Bangladesh. The IP 103.60.175.78 is blocked two years at meta as an open proxy:
- 19:41, 20 June 2020: User:علاء (meta.wikimedia.org) globally blocked 103.60.175.78 (global block log) (expires on 20 June 2021 at 19:41)
- The *.51 and the *.78 are part of the same /24 range. It would be interesting to know if a long block of the whole /24 would be justified. -- EdJohnston (talk) 02:56, 3 July 2020 (UTC)
- Checking... --Mdaniels5757 (talk) 16:40, 3 July 2020 (UTC)
- @EdJohnston: Unlikely an open proxy. The range seems to belong to a normal ISP, so I wouldn't block for being a colo/webhost or similar. If there was no collateral, I'd recommend blocking the /24 anyways, but it looks like there would be some collateral (see Special:Contributions/103.60.175.51/24 pre-July), so playing whack-a-mole is probably the best option. Sorry. Best, --Mdaniels5757 (talk) 16:48, 3 July 2020 (UTC)
- Further probable block evasion by an IP editor in the same range: 103.60.175.41 (talk · contribs · deleted contribs · filter log · WHOIS · RDNS · RBLs · http · block user · block log) has been making hundreds of edits (semi-automated) making color changes to tables in articles & templates, & leaving no edit summaries. This has made edits that appear to be identical to 103.60.175.78 (talk · contribs · deleted contribs · filter log · WHOIS · RDNS · RBLs · http · block user · block log), who has been blocked for two years. Yesterday, another attempt at block evasion, 103.60.175.51 (talk · contribs · deleted contribs · filter log · WHOIS · RDNS · RBLs · http · block user · block log) was blocked. Peaceray (talk) 20:12, 3 July 2020 (UTC)
- @Peaceray and EdJohnston: Yeah, notwithstanding the collateral (see the edits from May), a block of the /24 may still be warranted (just not a proxy block). --Mdaniels5757 (talk) 20:27, 3 July 2020 (UTC)
- Further probable block evasion by an IP editor in the same range: 103.60.175.41 (talk · contribs · deleted contribs · filter log · WHOIS · RDNS · RBLs · http · block user · block log) has been making hundreds of edits (semi-automated) making color changes to tables in articles & templates, & leaving no edit summaries. This has made edits that appear to be identical to 103.60.175.78 (talk · contribs · deleted contribs · filter log · WHOIS · RDNS · RBLs · http · block user · block log), who has been blocked for two years. Yesterday, another attempt at block evasion, 103.60.175.51 (talk · contribs · deleted contribs · filter log · WHOIS · RDNS · RBLs · http · block user · block log) was blocked. Peaceray (talk) 20:12, 3 July 2020 (UTC)
- @EdJohnston: Unlikely an open proxy. The range seems to belong to a normal ISP, so I wouldn't block for being a colo/webhost or similar. If there was no collateral, I'd recommend blocking the /24 anyways, but it looks like there would be some collateral (see Special:Contributions/103.60.175.51/24 pre-July), so playing whack-a-mole is probably the best option. Sorry. Best, --Mdaniels5757 (talk) 16:48, 3 July 2020 (UTC)
93.189.43.26
{{proxycheckstatus}}
- 93.189.43.26 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Already blocked the account (after checking my CU glasses). LTA, who was doing this yesterday also. Thanks for your help. Drmies (talk) 18:46, 19 July 2020 (UTC)
- @Drmies: Confirmed via WHOIS: 93.189.40.0/22 is a {{colocationwebhost}}. --Mdaniels5757 (talk) 21:44, 21 July 2020 (UTC)
- Mdaniels5757, I appreciate you: thanks. Drmies (talk) 23:47, 21 July 2020 (UTC)
- @Drmies: You're welcome. You could probably rangeblock it if you want. --Mdaniels5757 (talk) 00:02, 22 July 2020 (UTC)
- Mdaniels5757, I am going to leave that to the experts. I have some decent qualities, but deciding on a block like that is not one of them. I mean, I'd simply block and block account creation, but I wouldn't know for how long, for instance. So please, go ahead. :) (or, let me know when you file that RfA...) Drmies (talk) 00:35, 22 July 2020 (UTC)
- @Drmies: Haha might be a while on the RfA :). Given that this has been a webhost for years, I'd {{webhostblock}} 93.189.40.0/22 for 2 years with account creation blocked, and anon only NOT set (unless your CU goggles say that there would be collateral damage). --Mdaniels5757 (talk) 00:39, 22 July 2020 (UTC)
- Done. Marking for closure. --Mdaniels5757 (talk) 14:32, 29 July 2020 (UTC)
- @Drmies: Haha might be a while on the RfA :). Given that this has been a webhost for years, I'd {{webhostblock}} 93.189.40.0/22 for 2 years with account creation blocked, and anon only NOT set (unless your CU goggles say that there would be collateral damage). --Mdaniels5757 (talk) 00:39, 22 July 2020 (UTC)
- Mdaniels5757, I am going to leave that to the experts. I have some decent qualities, but deciding on a block like that is not one of them. I mean, I'd simply block and block account creation, but I wouldn't know for how long, for instance. So please, go ahead. :) (or, let me know when you file that RfA...) Drmies (talk) 00:35, 22 July 2020 (UTC)
- @Drmies: You're welcome. You could probably rangeblock it if you want. --Mdaniels5757 (talk) 00:02, 22 July 2020 (UTC)
- Mdaniels5757, I appreciate you: thanks. Drmies (talk) 23:47, 21 July 2020 (UTC)
IP104.245.146.0/24
{{proxycheckstatus}}
104.245.146.56 is signaled as a proxy, and it has been used by a well-known LTA. Drmies (talk) 02:45, 5 August 2020 (UTC)
- @Drmies: 104.245.144.0/22 (talk · contribs · WHOIS) is Confirmed a {{colocationwebhost}} (via WHOIS). Given the previous 1yr hardblock on that range, a 2-3 year hardblock would make sense. --Mdaniels5757 (talk) 18:09, 5 August 2020 (UTC)
- Mdaniels5757, thank you. You get an extra scoop of dessert tonight. I appreciate it. Drmies (talk) 20:56, 5 August 2020 (UTC)
- @Drmies: Haha, you're welcome. (FYI, you left "anon only" set; I think proxies are normally hardblocked (anon only not set).) --Mdaniels5757 (talk) 23:25, 5 August 2020 (UTC)
- Mdaniels5757, I applied the same block that was there before, and that's also the default for "webhostblock". There's different terminology: there is no "setting" of anon only in the blocking screen; there's "Apply block to logged-in users from this IP address". For tech people like you, that's easy, of course; people like me have to think about that a bit. :) Anyway, when y'all communicate these things, please keep in mind that the default for these blocks isn't always the default that you may think it is, and that sometimes you're talking to an audience that can make a posset without looking at a recipe (simple--2 cups cream, 2/3 cup sugar, 6 tbsp of lemon juice), but need to think about this kind of stuff. Thanks, Drmies (talk) 00:37, 6 August 2020 (UTC)
- @Drmies: Oops, sorry about that. (also, of course "anon only" is what's shown (or not shown) in the block log, but "apply block to logged-in users from this IP address"; why would those two things be consistent... /s) Best, --Mdaniels5757 (talk) 01:23, 6 August 2020 (UTC)
- Mdaniels5757, I applied the same block that was there before, and that's also the default for "webhostblock". There's different terminology: there is no "setting" of anon only in the blocking screen; there's "Apply block to logged-in users from this IP address". For tech people like you, that's easy, of course; people like me have to think about that a bit. :) Anyway, when y'all communicate these things, please keep in mind that the default for these blocks isn't always the default that you may think it is, and that sometimes you're talking to an audience that can make a posset without looking at a recipe (simple--2 cups cream, 2/3 cup sugar, 6 tbsp of lemon juice), but need to think about this kind of stuff. Thanks, Drmies (talk) 00:37, 6 August 2020 (UTC)
- @Drmies: Haha, you're welcome. (FYI, you left "anon only" set; I think proxies are normally hardblocked (anon only not set).) --Mdaniels5757 (talk) 23:25, 5 August 2020 (UTC)
- Mdaniels5757, thank you. You get an extra scoop of dessert tonight. I appreciate it. Drmies (talk) 20:56, 5 August 2020 (UTC)
IP 2001:67C:2628:0:0:0:0:0/48
{{proxycheckstatus}}
Much racist swinery came from 2001:67C:2628:647:7A45:C4FF:FEF8:4461, and a note popped up that this was a proxy. Thanks, Drmies (talk) 01:24, 9 August 2020 (UTC)
- @Drmies: Likely used for Opera's built-in proxy/vpn. —Mdaniels5757 (talk) 01:12, 10 August 2020 (UTC)
- That's bad, right? I hate opera. Never understand why Inspector Morse cared for it. Drmies (talk) 01:15, 10 August 2020 (UTC)
- @Drmies: Yes, that's bad :). The closest template to use is {{blocked proxy}}. (and to clarify, it's the whole /48) —Mdaniels5757 (talk) 01:23, 10 August 2020 (UTC)
- Alright then. I had blocked them for "racist swinery" but what you say sounds better. Drmies (talk) 01:31, 10 August 2020 (UTC)
- @Drmies: Yes, that's bad :). The closest template to use is {{blocked proxy}}. (and to clarify, it's the whole /48) —Mdaniels5757 (talk) 01:23, 10 August 2020 (UTC)
- That's bad, right? I hate opera. Never understand why Inspector Morse cared for it. Drmies (talk) 01:15, 10 August 2020 (UTC)
64.18.9.0/16
{{proxycheckstatus}}
Reason: This Google Web Services IP had engaged in possible disruptive edits such as this. Off the shelf proxy checker tool shows an 65% confidence on being a proxy. Enteryourusername8 (talk) 04:01, 12 August 2020 (UTC)
- Not currently an open proxy (at least as to 64.18.158.50) —Mdaniels5757 (talk • contribs) 15:04, 12 August 2020 (UTC)